See Service Pricing
Sales: (385) 217-9049
Support: (800) 400-7554
Remote Support Login
Executech

Microsoft SharePoint Phishing Scam

Want to listen instead?

We want to raise general awareness around a recent Microsoft SharePoint Phishing Scam that has been on the rise recently. What makes this scam so concerning is just how difficult it is to catch unless you know what to look for.

The attack starts via a specially crafted email. The email message appears to be a legitimate file share from a legitimate source (often coming from a compromised partner’s account to lend credibility). Here is a screenshot of the exact email we encountered, but there are many variations:

screenshot depicting the email someone might see if being targeted with this SharePoint Phishing scam

Although the link takes the user to a different domain than the originating sender, clicking the link takes you to a legitimate SharePoint site:

screenshot of where the bad link will take a victim of this SharePoint Phishing scam

The attempt to harvest credentials (steal passwords and 6-digit multi-factor authentication codes) takes place when an unsuspecting user clicks the “View document” link shown above (or something similar in other cases).

The potential victim is then taken to what appears to be a legitimate O365 login page, which prompts for credentials. As the link originated from a legitimate SharePoint site, email security filtering technology trusts it, and it seems to the user to be a valid prompt for their credentials. Furthermore, the original email often comes from a trusted partner whose account has been compromised, which makes it even more difficult to detect.

Unfortunately, the redirected site is, in fact, a method of credential harvesting by attackers. When the victim enters their credentials, including MFA code, the attackers then immediately use that information to log in to the victim’s own 365 tenant gaining access.

In order to protect against this type of attack, we recommend the following:

  • Be wary of unexpected shared SharePoint files/folders. Consider contacting the sender to confirm they shared the SharePoint link with you.
  • Be diligent in inspecting website addresses before entering any credentials or accepting a downloaded file.
  • Consider branding your organization’s O365 sign-in page and letting users know not to enter credentials on non-branded pages.
  • Consider using push authentication with number matching through the Authenticator app for multi-factor authentication (MFA) (disallow 6 digit codes via text or app). This alone would mitigate this attack.
  • We block sign ins from non-Azure AD-Joined Windows machines which significantly helps mitigate the risk.
  • Consider blocking non-US top-level domains with Sophos Web Control (recent examples have resulted in pages hosted at URLs ending in .ru (Russia), for example).
  • Please share this attack scenario with your employees for awareness.

Stay Secure!

Related Insights

SALES INQUIRIES NUMBER

(385) 217-9049

REMOTE IT SUPPORT

(800) 400-7554

CONNECT WITH US

Utah Headquarters

10876 S River Front Pkwy Ste 100
South Jordan, UT 84095

Northern California Office

1624 Santa Clara Drive, Ste 245
Roseville, CA 95661

Seattle Office

5470 Shilshole Ave NW
Suite 302
Seattle, WA 98107

Spokane Office

3808 N Sullivan Rd N-15 Ste 109
Spokane, WA 99216

SERVICES

ABOUT US

CERTIFIED BY

Microsoft
SonicWall_Registered-2C_1505328940059
Sophos
compita

Resources

SUPPORT

Search